Cloud security not just an IT question

Cloud SecurityAn Enterprise Innovation Guide

Sponsored byPublished by

Editorial and publishing officeQuestex Asia Ltd13/F, 88 Hing Fat Street, Causeway Bay, Hong KongTel: +852 2559 2772 Fax: +852 2559 7002Website: www.enterpriseinnovation.netSubscription Hotline: +852 2589 1313 Subscription Fax: +852 2559 2015E-mail: customer_service@enterpriseinnovation.net

Cloud Security Guide is published by Questex Asia Ltd, 13/F, 88 Hing Fat Street, Causeway Bay, Hong Kong. Printed in Hong Kong. © 2013 Questex Media Group LCC.

All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage or retrieval system, without permission in writing from the publisher.

Managing Director Jonathan Bigelow jbigelow@questexasia.com

Group Publisher Simon Yeung syeung@questexasia.com Regional Account Director Clarise Goh cgoh@questexasia.com Account Manager Careshma Ramroop cramroop@questexasia.com

Group Editor Chee Sing Chan cchan@questexasia.com Deputy Editor Rahul Joshi Contributing Writers Jason Krupp, Dylan Bushell-Embling

Art Director Dick Wong dwong@questexasia.com

HR & Admin Manager Janis Lam janislam@questexasia.com

Accounting Manager Nancy Chung nchung@questexasia.com

Director, Audience Development – R&D Will Ahmad will@questexasia.com Assistant Circulation Manager Shipman Kwok skwok@questexasia.com

4 Trends

Public and private cloud to increase by 50% by 2020

5 Interview

Cloud model requires security rethink

7 Feature

Cloud security not just an IT question

11 Opinion

Can banks overcome the fear of cloud?

3 Table of Contents

Almost 70% of business and technology executives in APAC believe that cloud computing will be at least as disruptive to the technology landscape as the impact of virtualization or the internet, according to Coleman Parkes Research’s survey findings. Commissioned by HP, Coleman Parkes’ survey, titled: the future of Cloud, revealed that senior business and technology executives expect public and private cloud delivery models to increase by 50%. the other key findings of the study include: Currently, only 27% of enterprise delivery models are cloud-based. the top three barriers to cloud services adoption are security concerns (35%), transformation concerns (31%), and compliance or governance concerns (16%). Business and It executives recognize that cloud implementation will be critical to driving successful outcomes and innovation. About one in two CEos and Cfos are currently setting cloud strategies for their organizations. l

DEsPItE tHE BEst efforts of cloud service providers and industry groups, cloud security remains a troublesome issue for It execs. At an RsA session earlier this year devoted to cloud security, It security pros complained about the lack of transparency among cloud providers and how that makes it extremely difficult to make informed buying decisions.

Attendees in the audience pointed out that there’s currently no certification for cloud security. so, where does that leave It execs? Nils Pulhman, former Cso at Zynga, suggested that It execs grill prospective cloud service providers. In his experience, particularly with startups, “nine out of 10 fall apart’’ when you ask the tough questions. l

Public and private cloud to increase by 50% by 2020

Murky forecast still projected for cloud security

Cloud to capture 10% of security market by 2015ClouD ComPutINg Is transforming the enterprise It security market. gartner expects 10% of It enterprise security products to be delivered via the cloud by 2015. the research firm predicts that the cloud-based security services market will surge to us$4.2 billion by 2016.

Cloud-based security services are having a particular impact on buying behaviors in segments including secure email and web gateways, remote vulnerability assessment and IdentiCloud boosting profits, helping start-ups start

A majority (56%) of cloud computing adopters believe the technology has helped them improve profits, while nearly nine in 10 report it has helped them save costs. these are among the key the findings of a survey by the university of manchester’s Business school, commissioned by Rackspace.

start-ups are also gaining from cloud computing, the survey suggests. more than 90% of companies polled which had been established in the last three years agreed that the infrastructure savings offered by cloud computing had helped them get their business off the ground. l

4 Trends

Lawrence Ong at HP: Cloud security is more

than just physical controls

Transformation of IT operating models brings disruption to security frameworks

By Enterprise Innovation editors

Cloud computing model requires security rethink

ClouD ComPutINg and other tech-nology mega-trends are transforming modern It today. technology is be-ing integrated into every facet of the business, and It is rapidly transform-ing into a business enabler.

As cloud computing gives users access to new scale, new capabil-ity and flexibility, It departments are likewise being required to rethink their approaches to security, while retaining the core principles on keep-

ing companies and their confidential data secure.

lawrence ong, general manager for Enterprise security services at HP Enterprise services, Asia Pacific & Ja-pan, noted that “security is always a top concern for cloud adoption.”

Security to risk management

Due to the changing face of It, ong believes that the traditional ap-proach to security -- with its focus on the hardware and software – is old-hat. “We need to move from security into what we refer to as risk manage-ment,” he said.

“At HP we describe security as having three key Ps, people, process-es and products or technology. You may have the best technology but if your employee goes around sticking post-it notes on their monitors with their username and password, no amount of best technology can help you overcome that violation.”

Part of the issue with focusing on the technology is that it means secu-

rity discussions are often phrased in the way business leaders might not understand.

“talk to business owners about firewalls, Ntfs or antivirus and you will find that the care factor is not that great,” ong said. “the language secu-rity professionals use is not aligned to the business language, and so to avoid misconceptions and misunder-standings it is essential that we keep our messages simple and avoid secu-rity acronyms and jargon.”

At the moment It risk manage-ment is very much the scope and remit of CIos and Csos, but as It be-comes more of a business process enabler, it will become an enterprise-wide issue. “then we’ll eventually move to what we call enterprise risk management,” ong said.

The risk discussionCompanies adopting cloud com-

puting need to identify which assets, whether information or systems, sup-port the most critical business pro-cesses within an organization.

5 Interview

6 Interview

When moving to the public cloud, business information is no longer in the hands of the company. to pre-serve business confidence that this data won’t fall into the wrong hands, encryption has emerged as a “key enabler,” ong said.

With a private cloud model, this is not as important, as the data is typically still on-premise. But there are security concerns that must be considered even in this case, namely Vm sprawl, where virtual machines are created without being managed.

ong said these issues can be avoided if you have formal processes around information lifecycle manage-ment, or how systems are created and de-commissioned within your organization. “It depends on the ma-turity of lifecycle management within your private cloud.”

He said the real challenge around the cloud relates to data integrity, and the various regulatory regimes some companies are working under.

organizations in certain heavily-regulated industries are required to be able to prove where their data is at any time, in the event that the regulator has to bring a case against that company. this poses a problem when companies are using public cloud services such as office 365 or google Docs, because the data pro-cessing is so heavily distributed.

“that’s the challenge for busi-ness, you may have the best intent but due to the way systems are built, these cloud providers might not have that ability to meet the regulators’ re-quirements,” ong said.

Access managementthe Cloud security Alliance has

formulated a series of best practices for cloud adoption and control.

these best practices combine Iso and other standards with entrenched frameworks adopted by American

companies. ong noted that one key element common across the various standards and frameworks is a focus on access management.

organizations’ approaches to ac-cess management need to take into account that employees are going to be making use of both software-as-a-service (saas) and traditional enter-prise applications, ong said.

the best practices thus focus on how to consolidate applications for both in-house and cloud-based ap-plications.

But the issue again becomes relay-ing the importance of access manage-ment to the rest of the business, ong said. “the ability to communicate in a non-technical perspective in the lan-guage of the business owners and the marketing officers – who might not be aware of the risks – this is where the challenge is for the industry.”

The security life-cycleCloud security is more than just

physical controls. Just as important are the other two Ps in ong’s three P’s of security – the policies and the people.

“What we advocate within HP is basically what we call security life-cycle management,” ong said.

When helping a client move from siloed systems to the cloud, HP starts by reviewing a company’s strategy and policies, and provides recommenda-tions on how they need to be updated.

Next the company tackles the gov-ernance and policy layers, to make sure there won’t be any issues at the employee level.

then HP helps companies intro-duce technologies to automate the controls, the processes and people.

this holistic approach “helps you reduce your risks, which then helps you adopt the new technologies that can support your business,” ong said. l

once this is complete, compa-nies need to ask some simple ques-tions, ong said. “In the event that this system becomes unavailable, what is the impact on your busi-ness? If the information gets lost, does it cause your company major problems such as financial loss, ex-posure to litigation, loss of client or citizen confidence, or loss of brand image?”

this approach frames security and risk in clear terms that the busi-ness can understand and act on.

Key challengesBut one key assumption of the

new risk management approach to security is that while it may be possi-ble to minimize risks, it is not always practical to eliminate them entirely.

As companies dealing with stricter regulation regarding the handling of credit card data know all too well, “at some point in time, the ability to contain the risk becomes impos-sible,” ong said. “so this is where the executive committee within the business needs to address and ac-cept the risk.”

some of the risk can be offloaded through commercial contracts with cloud providers, and can even poten-tially be alleviated for both parties by outsourcing it to an insurance organi-zation. But if it cannot be outsourced, then organisations may have to ac-cept the risk of a negative business outcome.

migrating to private or public cloud services creates a number of risk and security issues that need to be addressed.

many of the challenges will be familiar to organizations with expe-rience using It outsourcing. As a general rule, ong estimates that the procurement process will typically be 80% similar for cloud and outsourced It services.

The language security professionals use is not aligned to the business language of today

IT leaders suggest cloud strategy must be based on assessment of business case and risk before deployment occurs

By Dylan Bushell-Embling

DuE to It’s promise of unprecedent-ed business agility, most large organi-zations have adopted or are consid-ering adopting some form of cloud computing.

Even the most reticent of compa-nies will soon find the cloud seeping in around the edges, due to their em-ployees’ use of personal cloud ser-vices.

But any migration to the cloud needs to be carefully managed to ensure that business critical data re-mains safe. organizations need to set clear policies around data protection, and employees need to be educated about the risks. this requires the involvement not just of It, but of the wider business.

Cloud adoption is inevitable

It leaders are coming around to the reality that cloud adoption is go-ing to happen, whether they want it to or not.

Richard stagg, managing consult-ant for security firm in Hong Kong, Handshake Networks, noted that in practice, saying ‘no’ to the cloud “just doesn’t work”.

stagg joined other security experts and heads of It to discuss the chal-lenges of cloud security at the recent Infosecurity Conference 2013 in Hong Kong.

“If It does say ‘no’ then the staff who want the service will just go out and procure it anyway. then you end up with shadow It, with unmanaged cloud services that are not going through the due diligence processes,” stagg added.

there are of course security chal-lenges and risks associated with cloud, and the It department may sometimes need to step in to veto a particular provider or steer people to a more enterprise-focused service, he said.

“But in the grand scheme of things internal It just cannot provide the same flexibility, the capacity, and the ready-made applications that are available on the cloud. At this point, if people want to use these services, if there is a business case, then of course they must. the It department should never be standing in the way of that.”

Alex skilton, senior manager at KPmg, agreed that It needs to walk the fine line between enabling and being a gatekeeper. this is where a clear set of cloud principles that can be used to assess risk can be invalu-able.

But this also requires It to en-

Fuller Yu at AIA:Start by establishing a cloud strategy which includes a clear set of principles built around risk assessment

gage with the rest of the business on strategy discussions, he said. “unfor-tunately in It sometimes we’re just masters of getting the job done rather than being able to have that strategic conversation. I think that’s the main challenge.”

Start with cloud strategies

As important as it may be, secu-rity is rarely the starting point for any discussion about moving to the cloud.

fuller Yu, Head of technology Risk, technology governance, group strat-egy, technology & operations at AIA group limited, said it’s important for any organization to start by establish-ing a cloud strategy which includes a clear set of principles built around risk assessment and security.

Yu said AIA uses an underlying cloud strategy as a starting-point, then considers the business case for moving a process to the cloud. If it meets the criteria, then It starts thinking about the data that’s going to be shared. the next step is devising strategies to protect it, and develop-ing an understanding of the risk of having the data in the cloud.

In this context, “info security is just another way to make sure we help the business to make a decision, help them to take a risk,” he said.

Cloud procurementIt is also imperative to keep securi-

ty principals in mind when selecting a cloud provider and penning a service contract.

the good news is many organiza-

Cloud security not just an IT question

7 Feature

tions have already experienced out-sourcing It services to a third party, and most of the techniques and pro-cesses used for assessing providers and ensuring security requirements are met, still apply when choosing a cloud provider.

KPmg’s skilton said many of the third-party risk assessment concepts are the same between It outsourcing such as software-as-a-service and cloud computing.

“We would recommend that the standard third-party assessment that you go through shouldn’t really be changing,” he said. “It’s all about making sure you understand the re-quirements of the service [and] build those into a contract.”

A subtle but important differ-ence between the outsourcing and the cloud computing model revolves around ownership and control of a company’s data. skilton said under the saas model, companies arguably have less control over their data, with saas providers able to “pull the plug” at any time.

But for the cloud model, “the bal-ance of accountability, of ownership of the data – the control if you like – be-tween the provider and the customer

is perhaps more [even],” he said.stagg agreed that the cloud mod-

el allows for more fine-grain control. “With outsourcing it’s technically sort of all or nothing, whereas cloud gives you a real sort of analogue volume control over exactly how much you outsource.”

But from a security perspective, some of the same challenges faced by adopting the outsourcing model also apply, stagg said, giving exam-ples of establishing slAs and a right-of-audit.

Whether deploying a private cloud on virtual servers, or signing up for a public cloud service, KPmg’s skilton said it is important to hammer out agreements on how data would be managed – and who else has access – at the negotiation stage.

“throughout the contract, [organi-zations should] have the right people at the table to ask the right ques-tions, so that a provider doesn’t have the ability to give some sort of vague assurance without it being solidified through a professional agreement.”

Policies and the people problem

the reality that employees will adopt cloud services with or without It’s blessing puts the onus on the de-partment to ensure that business-crit-ical data remains protected. the rapid rise of the personal cloud has led some security specialists to declare that DropBox is the new usB threat.

Zoran Iliev, master of eforensics and Enterprise security and Certi-fied Interpol tt Computer forensics Instructor, said this this is not an en-tirely new problem. It goes back to the same issue companies have faced for years – classification of data.

While there are controls that can be used to detect if employees are moving classified data to places they

shouldn’t – using techniques includ-ing hashing and metadata – it is also important to have clear rules and poli-cies for employees, Iliev said. “And if we have rules, we need to follow them up, we need to re-enforce them and explain them.”

stagg noted that this is a company-wide problem. “one of the things that always seems to be missing from the discussion [about] the challenges of the personal cloud...is, where are the HR guys? It can’t enforce anything, I’d like to give someone a kicking, I can only make guidelines.”

HR should be working with It to help inform employees about data policies, and periodically remind them about the rules, he said. “And when they find somebody who’s been stash-ing things in their Dropbox, give them the previously-mentioned kicking.”

this will likely become increasingly important now that the next genera-tion are joining the workforce.

many business leaders have ex-pressed concerns that these workers are so accustomed to hyper-connec-tivity, social networking and powerful consumer devices in their lives as consumers, they may not have the expectation that they should behave differently at work. Without education, they may not intrinsically understand rules around protecting sensitive data.

“the new generation of people come to the workplace, and they do have some expectations,” AIA’s Yu said. “so I think it poses a challenge not only for the It people but for the organisation themselves.”

Zoran added that the problem boils down to a lack of communica-tion. “I believe that the biggest issue is that no-one’s talking about it. If we made the effort to explain [the rules] and tell them about it, I believe it will work.” l

8 Feature

The personal cloud has led some security specialists to declare that DropBox is the new USB threat

Zoran Iliev:It goes back to the

same issue companies have faced for years –

classification of data

9 Security

Sponsored Feature by HP

Cloud, consumerization and mobile put spotlight on revising the security strategy

Every business decision has in-herent risk, and it is essential to understand and make decisions based on the cost and potential

value of that risk. CIos and CIsos no longer lay awake at night worrying just about defend-ing their organization’s perimeters and the latest worm outbreak. the challenges facing security leaders today are far more complex.

Consider these recent trends and their impact on risk:

Cloud: CIos see the benefits of cloud computing: leveraging standardized appli-cations, reduced maintenance, pay-per-use models, and reduced capital expenditures. But risk is inherent with cloud services. Not only must CIos maintain compliance, priva-cy, and transaction integrity, but they must also extend these across the service sup-ply chain that comprises the cloud services they are using.

Consumerization: today’s employees bring personal devices to work and take work devices home. for many, there is no longer a hard line between work and home devices. this can present challenges – con-trolling network access, identity, application permissions, and other elements is much more difficult than ever before.

Mobility: Working at home, on an air-plane, or in another city or country has be-come commonplace. Now data has a level

of mobility never experienced before, yet laptops, tablets, phones, and even printers must accommodate secure operations.ob-viously, several issues have arisen from the reliance on a traditional approach to securi-ty. many enterprises now have a patchwork of processes and technologies that simply don’t work well together. maybe it’s time to rethink security in a broader context and to bring everyone in your enterprise together – across silos and functional roles – so that you can protect what really matters: the information capital running through all your business processes.

Sustainable security ecosystem

the challenge is to create an integrated ecosystem that can not only anticipate but also prevent threats, wherever and when-ever they affect your enterprise.

think about:• Managing risk in theeraof ITconsum-

erization mobile computing, cloud adop-tion, rampant cyber threats, and the spread of social media technologies

• Protectingagainst increasinglysophisti-cated threats

• Improvingdetectionofandreactiontimeto security incidents

• Reducingadministration costsandeffi-ciently spending security dollars

• Achieving compliance in a predictableand cost-effective wayHP addresses the above tasks by first

establishing a framework to link informa-tion security management and governance with the operations and technology required to achieve end-to-end security.

the HP Enterprise security solutions framework comprises three major ele-ments:1. Information security management2. security operations3. Discrete security capabilities for data

center, network, application, and end-point securityIn developing an effective strategy for

enterprise security, it is important to un-derstand that, along with the technology component, people and processes come into play as well. By combining the three el-ements of people, process, and technology you are able not only to build a cohesive and integrated solution, but also to mitigate compliance risks and manage compliance requirements, whether they are regulatory, commercial, or organizational. the result-ing solution is fit for the purpose as well as cost-effective.

Enterprises clearly face an ever-increas-ing need to bring products and services to market faster and to meet the increasing demands from consumers, citizens, and

R e t h i n ksecurityin a broaderc o n t e x t

10 Security

Sponsored Feature by HP

governments. Cloud computing promotes bet-ter ways to source, deliver, and govern highly flexible, scalable business-driven services.

Shifting mindsetthis transition entails a shift of focus from

technology to services. so organizations must move beyond the data center and “up the stack” to include applications and business processes to achieve greater value from their It.

that’s where the cloud and everything as a service (Xaas) come in. the cloud enables the

access and use of low-cost, easy-to-use, and flexible hardware and software components via Internet technologies. through the cloud, every-thing will be delivered as a service, from com-puting power to storage to business processes to personal interactions. Applications run the business, so there needs to be a seamlessly integrated, end-to-end view of all the infrastruc-ture’s applications, infrastructure, services, and management capabilities.

there are many technology, business-model, and sociological barriers that need to be addressed before all application domains

can move to the cloud. And while that trend towards cloud gathers pace, companies will see that tremendous economic value can be unlocked when application domains reach the appropriate economies of scale.

But applications that are built from the ground up today need to be cloud-ready. De-velopers should take into account several se-curity, availability, and performance considera-tions when adjusting or building applications for cloud.

Cloud security considerationsfrom a security perspective, there is a

movement toward an integrated security ap-proach as opposed to the bolt-on security im-plementations of the past. It leaders should look to implement standard security practices such as overwriting sensitive memory storage upon exit and ensuring that sensitive data is not packaged in Virtual machine Images. Addi-tional cloud security practices should include enforcing identity management and separation of roles, as well as adoption of Iso 177799, sAs 70, and PCI Dss practices.

Performance issuesIn light of the cloud trend, the key com-

ponents of modern application development must include: replication capability (in con-junction with the infrastructure capability), load balancing, and clustering needs. And when it comes to performance, developers need to consider the impact of network laten-cy and bandwidth on application performance. furthermore, the development process needs to take into account the application scalability needs and allow for performance and stress testing.

to enable a complete cloud-model trans-formation, there must be dynamic orchestra-tion of custom applications, middleware, da-tabase, operating systems, and infrastructure components. there should also be a change control mechanism for workflow and govern-ance across the lifecycle.

focusing on “always-on” service delivery is no longer optional – it’s essential. And in a hybrid delivery environment that promises greater control and flexibility, enterprises and governments should examine offerings such as cloud and services based on functionality and fit, and deploy those that deliver the de-sired business outcomes.

these considerations must be applied throughout the traditional It, cloud, and even in-house solutions that an enterprise de-ploys. l

The personal cloud has led some security specialists to declare that DropBox is the new USB threat

HP ENtERPRIsE sECuRItY solutIoNs can help solve the risks associated with the run-away pace of security issues. our security methodology – developed over many years of practical experience in identity, network, application, and endpoint security – helps shape the enterprise defense system in a way that supports business/government ob-jectives.

HP secures your entire It infrastructure by addressing all aspects of security – people, processes, technology, and content. We pro-tect your assets and resources while helping you comply with today’s regulatory environ-ment.

the HP Enterprise security portfolio is built on HP’s rich portfolio of products and servic-es. our approach is to carefully align security to ever-changing business and government demands in a way that secures assets, re-sources, and information to manage risk and protect innovation.

Proven capabilities, proven results

HP employs more than 3,000 security and privacy professionals and holds more than 600 security patents. Worldwide, our Enter-prise security solutions:• Discover more than four times as many

critical application vulnerabilities as other solutions in the market combined

• Prevent550million junkmailand1.7bil-lion spam messages from reaching users monthly

• Detectandquarantine45millioninstancesof malware annually

• Secure more than 1 million applicationsand 2 billion lines of code for clients

• Collect, store, and process 3.5 billionevents daily

• Supportmorethan3.8millionsmartcards,1.3 million tokens, 34 certificate authori-ties, and 54 million usernames and pass-words

Rethink security strategy with HP

Find out moreFor more information about designing a layered system of defense for your enterprise, please email: enterprisesolutions@hp.com

By Omid Mahboubi, Asia Cloud Computing Association

Can banks overcome their fear of cloud?

NEPHoPHoBIA is the abnormal fear of clouds, something that banks and financial services institutions relate to. things we do not understand are usually terrifying because we just do not seem to quite figure out what they are capable of doing to us. this fear is the primary reason why organiza-tions tend to maintain a better-safe-than-sorry attitude when it comes to cloud computing.

However, banks are generally It-enthusiasts. gartner predicts the banking and securities sector will spend $84 billion on It by 2016, making this sector the biggest It buy-er of any vertical (insurance is 4th). financial services CIos fully appreci-ate the advantages that information technology has to offer. Cloud com-puting, however, is not like any tech-nological disruption they have seen since the internet itself arrived, and that demands caution.

to identify the fear, a bank needs to answer the following questions:• Aretheexistingcloudmodelsma-

ture enough to comply with regu-latory regimes? Can I be properly audited? Where is my data sitting at any given time?

• What if it is not secureenough?Banking-class secure enough? Isn’t cloud an open invitation to cyber criminals?

• Howdifferentiscloudfromother

outsourcing initiatives we are al-ready engaged with? should we follow the same approaches here, e.g. extensive analyses, risk as-sessment, slA discussions, etc.? simply put, how much headache are we talking about?

• AmIincontrol?the answers to some of these

questions are very subjective and require a thorough understanding of a bank’s architecture and business processes. the result of this exer-cise, however, can be a step towards a rewarding cloud journey.

Analyze your cloud fearthe next step would be to analyze

this fear. A history of It outsourcing failures could well be triggering your anxiety.

Was your last It outsourcing de-cision regarded as a responsibility outsourcing? Have you recently con-vinced your Cfo to approve a budget to build a data center? Have you just recovered from a security breach? that is, have you recently fought for and implemented an It project in your organization, and migrating to the cloud would mean you will have to admit the previous project was not a good idea?

A part of a thorough analysis is to link the cloud to your desired out-come. there are ways in which Cloud Computing can contribute to regula-tory compliance or security. think about leveraging cloud technologies

11 Opinion

to have a flexible architecture able to easily implement Basel III, for exam-ple, or how cloud is contributing to the feasibility of brand new identity management practices.

Take controlone way to break free of a fear

is to confront it head-on. this is a phase where a cloud solution is de-ployed, making management more comfortable with the phenomenon. Choosing a financial-sector-friendly cloud service provider for a non mission-critical part of your business could contribute to the sense of con-trol. this, however, should be seen as one stage of a broader cloud imple-mentation roadmap.

I do not know of a financial institu-tion or any other institution for that matter that cannot benefit from cloud computing one way or the other.

first, one needs to migrate their mind-set to the cloud before migrat-ing their It function.

the process starts with a change in perception, although not every C-level executive is an instant convert after the previous steps. this is time to start looking at cloud computing not as an individual technology but an It consumption/delivery model.

Deutsche Bank Research sug-gests that banks in Europe spend two-thirds of their It budget on run-ning the bank and one-third on chang-ing the bank. Changing how you think about cloud helps understand what roles cloud is capable of playing to potentially reverse this ratio. It would probably be a good idea to focus on evolving into a ‘smarter’ bank. l

Omid Mahboubi is director of Business Development, Malaysia Chapter Director and podcast host at the Asia Cloud Computing Association

www.enterpriseinnovation.net